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MEMORANDUM  FOR  ASSISTANT  SECRETARY  OF  DEFENSE  (COMMAND, 

CONTROL,  COMMUNICATIONS  AND 
INTELUGENCE) 

DIRECTOR,  DEFENSE  RESEARCH  AND  ENGINEERING 
DIRECTOR,  DEFENSE  ADVANCED  RESEARCH 
PROJECTS  AGENCY 

SUBJECT:  Audit  Report  on  Year  2000  Program  at  the  Defense  Advanced  Research 
Projects  Agency  (Report  No.  98-182) 


We  are  providing  this  audit  report  for  information  and  use.  We  considered 
comments  on  a  draft  of  this  report  in  preparing  the  final  report. 

We  received  comments  from  the  Office  of  the  Assistant  Secretary  of  Defense 
(Command,  Control,  Communications,  and  Intelligence)  and  the  Defense  Adviced 
Research  Projects  Agency.  Comments  were  responsive,  conformed  to  the  requirements 
of  DoD  Directive  7650.3,  and  left  no  unresolved  issues.  As  a  result  of  the  comments 
from  the  Defense  Advanced  Research  Projects  Agency,  we  revised  Recommendation  1 . 
to  agree  with  the  alternative  recommendation  from  Defense  Advanced  Research 
Projects  Agency.  Therefore,  no  additional  comments  are  required. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  For  additional 
information  on  this  report,  please  contact  Mr.  Raymond  A.  Spencer  at  (703)  604-9071 
q>SN  664-9071)  or  Mr.  Roger  H.  Florence  at  (703)  604-9067  (DSN  664-9067).  See 
Appendix  B  for  the  report  distribution.  The  audit  team  members  are  listed  inside  the 
back  cover. 


David  K.  Steensma 
Dq)uty  Assistant  Inspector  General 
for  Auditing 


Office  of  the  Inspector  General,  DoD 


Report  No.  98-182 
(Project  No.  8AB-9013) 


July  31, 1998 


Year  2000  Program  at  the  Defense  Advanced 
Research  Projects  Agency 


Executive  Summary 


Introduction.  This  report  is  one  of  a  series  of  reports  being  issued  by  the  In^)ector 
General,  DoD,  in  accordance  with  an  informal  partnership  with  the  Chief  Information 
Officer,  DoD,  to  monitor  DoD  efforts  in  addressing  the  year  2000  computing  problem. 
Information  technology  systems  have  typically  used  two  digits  to  rqiresent  the  ye^, 
such  as  “98”  representing  1998,  to  conserve  electronic  storage  ^d  reduce  operating 
cost.  With  the  two-digit  format,  however,  the  year  2000  is  indistinguishable  from 
1900.  As  a  result  of  Ae  ambiguity,  computers,  associated  systems,  and  application 
programs  that  use  ^tes  to  calculate,  compare,  and  sort  could  generate  incorrect  results 
when  working  with  years  trfter  1999. 

Audit  Objectives.  Our  primary  audit  objective  was  to  determine  whether  the  Defense 
Advanced  Research  Projects  Agency  is  adequately  preparing  its  information  technology 
systems  to  resolve  date-processing  issues  for  the  year  2(X)0  computing  problem. 
Specifically,  the  audit  determined  whether  the  Defense  Advanc^  Research  Projects 
Agency  has  complied  with  the  DoD  Year  2000  Management  Plan.  The  audit  also 
evaluated  the  management  control  program  as  it  applies  to  the  audit  objective.  DoD 
recognizes  the  year  2(XX)  issue  as  a  material  management  control  weakness  area  in  the 
FY  1997  Annual  Statement  of  Assurance. 

Audit  Results.  DARPA  has  properly  examined  its  internal  management  information 
systems  for  year  2000  compliance;  however,  DARPA  did  not  review  research  contracts 
for  year  2000  considerations.  As  a  result,  DARPA  cannot  ensure  that  research  projects 
will  not  have  year  2000  date-processing  problems. 

Summary  of  Recommendations.  We  recommend  that  the  Director,  Defense 
Advanc^  Research  Project  Agency,  review  research  efforts  and  planned  systeni 
interfaces  to  determine  if  the  efforts  have  a  potential  year  2000  impact  and  modify  the 
appropriate  contr^ts.  In  addition,  we  recommended  that  contracts  be  review^  for 
year  2000  compliance  as  part  of  the  management  control  program  self-evaluation. 

Management  Comments.  The  Acting  Deputy  Assistant  Secretary  of  Defense  (Chief 
Information  Officer,  Policy  and  Implementation)  provided  comments  to  the  draft  report 
and  concurred  with  the  finding  and  recommendations.  The  Director,  Defense 
Advanced  Research  Projects  Agency,  concurred  with  the  recommendations,  although 
he  stated  that  reviews  of  information  technology  acquisitions  were  performed  in 
accordance  with  guidance  issued  by  the  Assistant  Secretary  of  Defense  (Command, 
Control,  Communications,  and  Intelligence).  However,  the  Director  also  stated  that 


the  audit  report  opened  up  new  areas  of  the  year  2000  computing  problem  that  go 
beyond  the  intent  of  the  Assistant  Secretary’s  guidance  in  reviewing  research  efforts  for 
a  potential  year  2000  impact.  The  Director  agreed  that  research  efforts  should  be 
reviewed  for  a  year  2000  impact  and  has  initiated  a  program  for  the  reviews.  See 
Part  I  for  a  summary  of  management  comments  and  Part  in  for  the  complete  text  of  the 
comments. 

Audit  Response.  Comments  of  the  Acting  Deputy  Assistant  Secretary  of  Defense 
(Chief  Information  Officer,  Policy  and  Implementation)  and  the  Director,  Defense 
Advanced  Research  Projects  Agency,  were  responsive.  As  a  result  of  the  comments  of 
Director,  Defense  Advanced  Research  Projects  Agency,  to  the  draft  report,  we  revised 
the  recommendation  to  review  research  efforts  for  a  potential  year  2(X)0  impact. 
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Part  I  -  Audit  Results 


Audit  Background 

The  year  2000  problem  is  the  term  most  often  used  to  describe  the  potential 
failure  of  information  technology  systems  to  process  or  perform  date-related 
functions  before,  on,  or  after  the  turn  of  the  century.  The  year  2000  problem  is 
rooted  in  Ae  way  automated  information  systems  record  and  compute  dates. 

For  the  past  several  decades,  systems  have  typically  used  two  digits  to  represent 
the  year,  such  as  “98"  representing  1998,  to  conserve  on  electronic  data  storage 
and  reduce  operating  costs.  With  the  two-digit  format,  however,  the  year  2000 
is  indistinguishable  from  1900.  As  a  result  of  the  ambiguity,  computers  and 
associated  systems  and  application  programs  that  use  dates  to  calculate, 
compare,  and  sort  could  generate  incorrect  results  when  working  with  years 
following  1999.  Calculation  of  year  2000  dates  is  further  complicated  because 
the  year  2000  is  a  leap  year,  the  first  century  leap  year  since  1600,  and  the 
computer  systems  and  applications  must  recognize  February  29,  2000,  as  a  valid 
date. 

Because  of  the  potential  failure  of  computers  throughout  the  Government  to  run 
or  function,  the  General  Accounting  Office  has  designated  resolution  of  the 
year  2000  problem  as  a  high-risk  program.  In  addition,  DoD  recognizes  the 
year  2000  issue  as  a  material  management  control  weakness  area  in  the  FY  1997 
Annual  Statement  of  Assurance. 

DoD  Year  2000  Management  Strategy.  In  his  role  as  the  DoD  Chief 
Information  Officer,  the  Acting  Assistant  Secretary  of  Defense  (Command, 
Control,  Communications,  and  Intelligence)  issued  the  final  version  of  the 
“DoD  Year  2000  Management  Plan"  (DoD  Management  Plan)  in  April  1997. 
The  DoD  Management  Plan  provides  the  overall  DoD  strategy  and  guidance  for 
inventorying,  prioritizing,  repairing  or  retiring  systems,  and  monitoring 
progress.  The  DoD  Management  Plan  states  that  the  DoD  Chief  Information 
Officer  has  overall  responsibility  for  overseeing  the  DoD  solution  to  the 
year  2000  problem.  Also,  the  DoD  Management  Plan  makes  the  DoD 
Components  responsible  for  the  five-phase  year  200()  management  process, 
including  awareness,  assessment,  renovation,  validation,  and  implementation 
actions.  The  Office  of  the  Assistant  Secret^  of  Defense  (Command,  Control, 
Communications,  and  Intelligence)  is  updating  the  DoD  Management  Plan, 
which  accelerates  the  completion  dates  for  resolving  the  potential  year  2000 
problem. 

Defense  Advanced  Research  Projects  Agency.  The  Defense  Advanced 
Research  Projects  Agency  (DARPA)  was  established  in  1958  as  the  first  U.S. 
response  to  the  Soviet  launching  of  Sputnik.  Since  that  time,  its  prima^ 
responsibilities  have  been  to  help  maintain  U.S.  technological  superiority  and  to 
guard  against  unforeseen  technological  advances  by  potential  adversaries.  The 
DARPA  mission  is  to  develop  imaginative,  innovative  and  often  high  risk 
research  ideas  offering  a  significant  technological  impact  that  goes  well  beyond 
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the  normal  evolutionary  development  approach,  and  to  pursue  these  ideas  from 
the  demonstration  of  technical  feasibility  through  the  development  of  prototype 
systems. 


Audit  Objectives 

Our  prima^  audit  objective  was  to  determine  whether  DARPA  is  adequately 
preparing  its  information  technology  systems  to  resolve  date-processing  issues 
for  the  year  2000  computing  problem.  Specifically,  the  audit  determined 
whether  DARPA  has  compli^  with  the  DoD  Management  Plan.  The  audit  also 
evaluated  the  management  control  program  as  it  applies  to  the  audit  objective. 
Appendix  A  describes  the  audit  scope  and  methodology,  the  results  of  the 
management  control  program  review,  and  prior  audit  coverage. 
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Status  of  the  Defense  Advanced  Research 
Projects  Agency  Year  2000  Program 

DARPA  has  properly  examined  its  internal  management  information 
systems  for  year  2000  compliance;  however,  DARPA  did  not  review 
research  contracts  for  prototypes  for  year  2000  considerations.  This 
condition  exists  because  DARPA  did  not  fully  consider  year  2000 
implications  on  ongoing  research  efforts.  As  a  result,  DARPA  cwnot 
ensure  that  research  projects  will  not  have  year  2000  date-processing 
problems. 


Actions  Taken  to  Address  the  Year  2000  Problem 

DARPA  began  looking  at  the  year  2000  problem  in  December  1995.  In 
January  1996,  DARPA  began  participating  as  a  member  of  the  DoD  Year  2000 
Work  Group  and  formed  an  internal  assessment  team  to  determine  the  scope  of 
the  problem  at  DARPA.  In  February  1996,  DARPA  developed  a  year  2000 
plan  that  included  the  following  five  phases:  awareness,  assessment, 
renovation,  validation,  and  implementation. 

The  assessment  team  completed  a  review  of  all  installed  systems  in  September 
1996  and  found  that  the  majority  of  custom-developed  software,  commercial- 
off-the-shelf  (COTS)  software,  hardware  and  associated  operating  systems  used 
at  DARPA  were  year  2000  compliant.  The  awareness  phase  will  continue  until 
the  year  2000. 

DARPA  has  properly  examined  its  management  information  systems  for 
year  2000  compliance.  Its  small  size,  with  a  staff  of  about  200,  simplified  the 
development  or  its  year  2000  strategy.  In  addition,  DARPA  was  not  required  to 
review  support  systems  because  other  Defense  agencies  provide  DARPA  with 
standard  administrative  systems  such  as  accounting,  payroll,  and  personnel 
support.  DARPA  information  systems  included  only  systems  used  for  office 
automation.  The  overall  strategy  of  DARPA  is  to  replace  existing  computer 
systems  with  COTS  systems  that  are  year  2000  compliant  by  the  end  of 
FY  1998. 


Identification  of  Systems  and  Interfaces 


DARPA  has  no  mission-critical  systems  and  no  external  interfaces.  In  its 
January  1998  year  2000  quarterly  report,  DARPA  rq)orted  only 
one  non-mission-critical  system,  the  DARPA  Management  Support  System 
(DMSS).  DARPA  did  not  include  research  and  development  projects  or 
advanc^  concept  technology  demonstration  in  its  year  2000  assessments. 
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Status  of  the  Defense  Advanced  Research  Projects  Agency  Year  2000  Program 


DARPA  Manasement  Support  System.  The  DMSS  is  an  internal  system  that 
does  not  interface  with  any  extern^  systems.  The  DMSS  was  compnsed  of  all 
COTS  except  for  the  financial  module,  which  DARPA  is  replacing  with  a 
COTS  module  that  is  year  2000  compliant.  As  of  January  1998,  die  DMSS  was 
in  the  renovation  phase  and  will  complete  the  implementation  phase  by  the  end 
of  September  1998  at  a  cost  of  $80,000,  The  DARPA  contingency  plan  if  the 
DMSS  system  fails  is  to  revert  to  a  manual  support  process  and  repair  or  replace 
using  COTS  items.  The  DARPA  contingency  plan  is  not  year  2000  spwific, 
but  it  is  part  of  the  DARPA  Continuity  of  (^rations  Plan  and  will  satisfy  any 
potential  year  2000  problem. 

In  addition,  DARPA  identified  993  devices  controlled  tw  information 
technology  or  by  microchip.  The  devices  consist  of  515  personal  computers  and 
servers,  257  communication  hardware  and  software  items,  and  221  facilities  and 
other  devices.  The  personal  computers  and  servers  and  communication 
hardware  and  software  are  part  of  the  DMSS.  DARPA  reported  that  all  the 
devices  were  year  2000  compliant. 

Research  and  Development  Projects  and  Advanced  Concept  Technology 
Demonstration  Projects.  DARPA  did  not  include  weapon  system  projects  or 
advanced  concept  technology  demonstration  projects  in  its  year  2000 
assessments.  However,  DARPA  officials  indicated  that  DARPA  project 
managers  were  aware  of  the  year  2000  problem  and  recognized  the  importance 
of  adding  the  year  2000  contract  clause  in  research  efforts  sponsored  by 
DARPA.  DARPA  did  not  plan  on  testing  contractors  year  2000  efforts  required 
in  the  contracts  because  the  projects  are  technologies  as  opposed  to  products  or 
systems.  DARPA  stated  that  the  projects  were  state-of-the-art  by  definition, 
and  DARPA  considered  the  year  20(50  risk  level  to  be  extremely  low.  We 
reviewed  two  projects,  the  Dark  Star  and  Global  Hawk,  that  were  scheduled  for 
transition  to  the  Air  Force  Joint  Program  Office  in  October  1998,  and  verified 
that  the  Joint  Program  Office  plans  to  perform  the  year  20(X)  testing  of  these 
projects.  Both  the  Under  Secretary  of  Defense  for  Acquisition  and  Technology 
and  the  Assistant  Secretary  of  Defense  (Command,  Control,  Communications 
and  Intelligence)  agree  with  the  DARPA  year  2(X)0  approach  for  the  weapon 
system  projects  and  die  advanced  concept  technology  demonstration  projects. 
However,  formal  assessments  of  the  research  efforts  are  required  to  ensure  that 
the  efforts  have  no  year  2(X)0  implications. 


Contracting 

The  Acting  Assistant  Secret^  of  Defense  (Command,  Control, 
Communications,  and  Intelligence)  issued  a  policy  memorandum  to  the 
Secretaries  of  the  Military  Departments  and  the  Directors  of  the  Defense 
agencies  on  “Acquisition  of  Year  2000  Compliant  Information  Technology  (IT) 
and  Bringing  Existing  it  into  Compliance,"  December  18,  1997.  The  policy 
states  that  aU  IT  acquired  by  the  Military  Departments  and  Defense  agencies 
shall  be  year  2000  compliwt.  The  memorandum  retpiires  the  review  of  IT 
contracts  and  other  acquisition  instruments  to  determme  whether  modifications 
to  the  contracts  are  necessary.  The  memorandum  also  states  that  orders  for  IT 
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Status  of  the  Defense  Advanced  Research  Projects  Agency  Year  2000  Program 


shall  not  be  placed  on  a  contract  or  other  accjuisition  instrument  unless  it 
requires  year  2000  compliance  or  the  order  itself  requires  year  2000 
compliance. 

The  audit  examined  1 1  contract  efforts  issued  by  DARPA  that  required  IT 
acquisitions  of  about  $1.2  million  to  accomplish  the  research  efforts. 

Four  contract  efforts  had  IT  acquisitions  approved  before  the  Assistant  Secretary 
of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
memorandum;  five  contract  efforts  either  contained  the  required  year  20(X) 
clause  or  were  modified  after  the  audit;  and  two  contracts  did  not  have  the 
year  2(X)0  clause.  The  contracts  without  the  year  2000  clause  were  approved 
shortly  after  issuance  of  the  Assistant  Secretary’s  memorandum  and  contained 
n  acquisitions  valued  at  about  $130,000. 

DARPA  has  established  a  process  that  requires  the  DARPA  Chief  Information 
Officer  (CIO)  official  to  review  all  purchases  that  include  IT  and  to  ensure  that 
they  are  year  2(X)0  compliant.  Therefore,  all  future  research  efforts  for  the 
acquisition  of  IT  should  be  required  to  include  the  year  2000  requirement. 


Other  Management  Comments  and  Audit  Response  to  the 
Finding 


Other  Management  Comments.  In  his  comments  on  the  finding,  the  Director, 
DARPA,  stated  that  the  audit  report  opened  up  new  areas  of  the  year  2000 
computing  problem  that  go  beyond  the  intent  of  the  Acting  Assistant  Secretary 
of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
memorandum  of  December  18,  1997.  The  Director  stated  that  DARPA 
understood  the  memorandum  to  address  IT  acquired  by  contract  and  not  the 
performance  of  computer  hardware  or  software  in  the  research  projects.  He 
said  that  although  DARPA  does  not  buy  much  hardware  and  software,  it  does 
have  a  robust  program  of  IT  and  systems  development.  DARPA  was  unclear 
about  whether  those  system  developments  should  be  categorized  as  IT 
purchases.  The  Director  stated  that  the  audit  report  questioned  whether 
computer  hardware,  software,  or  firmware  used  with  an  experimental  or 
prototype  system  could  fail  as  a  result  of  a  year  2000  problem  and  therefore 
have  an  impact  on  operational  systems.  DARPA  contracts  for  experimental 
systems,  such  as  Advanced  Technology  Demonstrators,  Advanced  Concept 
Technology  Demonstrators,  and  Section  845  prototypes,  that  do  interact  with 
operational  systems.  DARPA  will  review  those  systems  to  determine  their 
year  20(X)  vulnerabilities  and  will  fix  any  problems  immediately. 

Audit  Response.  We  agree  with  the  Director  that  ongoing  research  efforts  need 
to  be  examined  for  a  potential  year  2000  impact  and  that  the  actions  proposed 
should  identify  any  potential  problem. 
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Status  of  the  Defense  Advanced  Research  Projects  Agency  Year  2000  Prosram 


Recommendation^  Management  Comments,  and  Audit 
Response 

Revised  Recommendation.  As  a  result  of  DARPA  management  comments,  we 
have  revised  Recommendation  1.  to  require  the  review  of  research  efforts  to 
determine  whether  the  efforts  have  a  potential  year  2000  impact. 

We  recommend  that  the  Director,  Defense  Advanced  Research  Project 
Agency: 

1.  Review  research  efforts  to  determine  whether  they  have  a 
potential  year  2000  impact.  The  review  should  include  any  planned  system 
interfaces  that  are  necessary  for  the  research  efforts. 

Management  Comments.  The  Director,  DARPA,  partially  concurred  and 
stated  that  DARPA  is  not  generally  in  the  business  of  making  IT  purchases  but 
that  DARPA  will  address  year  2000  vulnerabilities  on  contracted  efforts  of 
experimental  and  prototype  systems. 

2.  Add,  when  appropriate,  the  year  2000  compliance  language  to 
the  contracts  identified  in  Recommendation  1. 

Management  Comments.  The  Director,  DARPA,  concurred  and  stated  that 
DARPA  will  add  compliance  language  to  contracts  wherever  appropriate. 

3.  Review  contracts  for  year  2000  compliance  as  part  of  the 
self-evaluation  process  for  the  management  control  program. 

Management  Comments.  The  Director,  DARPA,  concurred  and  sta^  that 
DARPA  will  conduct  the  reviews  and  actions  outlined  and  will  make  it  part  of 
the  management  control  program's  self-evaluation  process. 

The  Acting  Deputy  Assistant  Secretary  of  Defense  (Chief  Information 
Officer  Policy  and  Implementation)  Comments.  The  Acting  Deputy  Assistant 
Secretary  of  Defense  ((310  Policy  and  Implementation)  provided  comments  and 
concurred  with  the  recommendations.  For  the  full  text  of  the  Acting  Deputy 
Assistant  Secretary’s  comments,  see  Part  in. 
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Part  n  -  Additional  Information 


Appendix  A.  Audit  Process 


This  report  is  one  of  a  series  of  rq>orts  being  issued  by  the  Inspector  General, 
DoD,  in  accordance  with  an  informal  partnership  with  the  Chief  Information 
Officer,  DoD,  to  monitor  DoD  efforts  to  address  the  2000  computing 
challenge.  For  a  listing  of  audit  projects  addressing  tnis  issue,  see  the 
year  2CW  webpage  on  IGNET  (http.7/www.ignet.gov/). 


Scope 

Work  Performed.  We  reviewed  and  evaluated  DARPA  progress  in  resolving 
tiie  year  2000  computing  issue.  We  evaluated  and  compared  the  year  2000 
efforts  of  DARPA  with  those  described  in  the  DoD  Management  Plan  issued  by 
the  Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and 
Intelligence)  in  April  1997.  We  obtained  documentation  including  the  DARPA 
year  2000  implementation  plan,  DARPA  contracts,  and  various  year  2000 
correspondence  and  reports.  We  did  not  review  contracts  awarded  by  extern^ 
organizations  in  support  of  DARPA  research  projects.  We  used  the  information 
to  assess  efforts  relate  to  the  DMSS  and  DARPA  IT  research  projects. 

DoD-wide  Corporate  Level  Government  Performance  and  Results  Act 
Goals.  In  response  to  the  Government  Performance  and  Results  Act,  the  DoD 
has  established  6  DoD-wide  corporate  level  performance  objectives  and  14  goals 
for  meeting  Aose  objectives.  Tliis  report  pertains  to  achievement  of  the 
following  objective  and  goal: 

•  Objective:  Prepare  now  for  the  uncertain  future. 

•  Goal:  Pursue  a  focused  modernization  effort  that  maintains  U.S. 
qualitative  superiority  in  key  war-fighting  capabilities.  (DoD-3) 

DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  hpe 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  achievement  for  the  following  functional  area  objective  and 
goal: 

Information  Technology  Management  Functional  Area. 

•  Objective:  Provide  service  that  satisfy  customer  information  needs. 

•  Goal:  Upgrade  technology  base.  (ITM-2.3) 

General  Accounting  Office  High  Risk  Area.  The  General  Accounting  Office 
has  identified  several  high  risk  areas  in  the  DoD.  This  report  provides  coverage 
of  the  Information  Management  and  Technology  high  risk  area. 
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Appendix  A.  Audit  Process 


Methodology 

Audit  Type,  Dates,  and  Standards.  We  performed  this  economy  and 
efficiency  audit  from  Frfiruary  through  April  1998  in  accordance  with  the 
auditing  standards  issued  by  the  Comptroller  General  of  the  United  States,  as 
implemented  by  ^e  Inspector  General,  DoD,  and  accordingly  included  such 
tests  of  management  controls  as  we  deemed  necessary.  We  did  not  rely  on 
computer-processed  data  or  statistical  sampling  proc^ures  to  develop 
conclusions  on  this  audit. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  on  request. 


Management  Control  Program  Review 

DoD  Directive  5010.38,  “Management  Control  (MC)  Program,”  August  26, 
1996,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
management  controls  that  provides  reasonable  assurance  that  programs  are 
operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review  of  the  Management  Control  Program.  We  reviewed  the 
adequacy  of  the  DARPA  management  controls  over  the  year  2000  computer 
problem.  Specifically,  we  reviewed  DARPA  management  controls  over  the 
implementation  of  the  DoD  Management  Plan  issu^  in  April  1997.  DARPA 
did  not  include  the  year  2000  computer  problem  in  its  self-evaluation  of  the 
controls  because  DARPA  officials  considered  the  year  2000  computer  problem 
to  be  low  risk.  However,  DoD  recognized  the  year  2000  issue  as  a  material 
management  control  wealmess  area  in  the  F Y  1997  Annual  Statement  of 
Assurance. 

Adequacy  of  Management  Controls.  DARPA  management  controls  for  the 
year  2000  issue  were  adequate. 


Prior  Audit  Coverage 

The  General  Accounting  Office  and  the  Inspector  General,  DoD,  have 
conducted  multiple  reviews  related  to  year  2000  issues.  General  Accounting 
Office  reports  can  be  accessed  over  the  Internet  at  http//www.gao.gov. 
Inspector  General,  DoD,  reports  can  be  accessed  over  the  Internet  at 
http://www.dodig.osd.mil. 
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Appendix  B.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition  wd  Technology 
Deputy  Under  Secretary  of  Defense  (Logistics) 

Director,  Defense  Procurement 

Director,  Defense  Logistics  Studies  Information  Exchange 
Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 

Deputy  Comptroller  (Program/Budget)  . ,  v 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and  Intelligence) 
DoD  Year  2000  Project  Officer 
Assistant  Secretary  of  Defense  (Public  Affairs) 

Director,  Defense  Research  and  Engineering 


Department  of  the  Army 

Assistant  Secretary  of  the  Army  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Army 
Chief  Information  Officer,  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Navy 
Chief  Information  Officer,  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 
Chief  Information  Officer,  Air  Force 


Other  Defense  Organizations 

Director,  Ballistic  Missile  Defense  Organization 

Chief  Information  Officer,  Ballistic  Missile  Defense  Organization 
Director,  Defense  Advanced  Research  Projects  Agency 

Chief  Information  Officer,  Defense  Advanced  Research  Projects  Agency 
Director,  Defense  Commissary  Aeency 

Chief  Information  Officer,  Defense  Commissary  Agency 
Director,  Defense  Contract  Audit  Agency 

Chief  Information  Officer,  Defense  Contract  Audit  Agency 
Director,  Defense  Finance  and  Accounting  Service 

Chief  Information  Officer,  Defense  Finance  and  Accounting  Service 
Director,  Defense  Information  Systems  Agency 
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Other  Defense  Organizations  (Cont’d) 

Inspector  General,  Defense  Information  Systems  Agency 
Chief  Information  Officer,  Defense  Information  Systems  Agency 
Director,  Defense  Legal  Services  Agency 

Chief  Information  Officer,  Defense  Legal  Services  Agency 
Director,  Defense  Logistics  Agency 

Chief  Information  Officer,  Defense  Logistics  Agency 
Director,  Defense  Security  Assistance  Agency 

Chief  Information  Officer,  Defense  Security  Assistance  Agency 
Director,  Defense  Security  Service 

Chief  Information  Officer,  Defense  Security  Service 
Director,  Defense  Special  Weapons  Agency 

Chief  Information  Officer,  Defense  Special  Weapons  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Director,  On-Site  Inspection  Agency 

Chief  Information  Officer,  On-Site  Inspection  Agency 
Director,  Washington  Headquarters  Services 
Inspector  General,  Defense  Intelligence  Agency 
Inspector  General,  National  Imagery  and  Mapping  Agency 

Non-Defense  Federal  Organizations  and  Individuals 

Chief  Information  Officer,  General  Services  Administration 
Office  of  Management  and  Budget 

Office  of  Information  and  Regulatory  Affairs  . 

Technical  Information  Center,  National  Security  and  International  Affairs  Division, 

General  Accounting  Office  .  j 

Director,  Defense  Information  and  Financial  Management  Systems,  Accounting  and 
Information  Management  Division,  General  Accounting  Office 

Chairman  and  ranking  minority  member  of  each  of  the  following  congressional 
committees  and  subcommittees: 

Senate  Committee  on  Appropriations  ,  . 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 

Senate  Committee  on  Armed  Services 

Senate  Committee  on  Governmental  Affairs 

Senate  Special  Committee  on  the  Year  2000  Technology  Problem 

House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 

House  Committee  on  Government  Reform  and  Oversight  , 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Cnminal 
Justice,  Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Part  ni  -  Management  Comments 


Assistant  Secretary  of  Defense  (Command, 
Control,  Communications,  and  Intelligence) 
Comments 


OFriCE  OF  THE  ASSISTANT  SECRETARY  OF  DEFENSE 
6000  DEFENSE  PENTAGON 
WASHINGTON.  DC  20301-6000 


June  18,  1996 


COMMAND.  COKTWOL. 
COMMUMCATIONf.  AND 
MTCLUQCNCK 


MEMORANDUM  FOR  DIRECTOR,  ACQUISITION  MANAGEMENT  DIRECTORATE,  DODIG 

SUBJECT;  Audit  Report  on  Year  2000  Program  at  the  Defense 

Advanced  Research  Projects  Agency  (Project  No.  8AB-9013) 


Me  have  reviewed  the  draft  report  of  your  audit  to  determine 
whether  DARPA  is  adequately  preparing  its  information  technology 
systems  to  resolve  date-processing  issues  for  the  Year  2000 
computing  problem. 


We  concur  with  all  of  your  comments  in  this  audit.  Specific 
comments  with  respect  to  each  recommendation  are  attached. 

My  point  of  contact  for  this  report  is  Sally  Brown  at  (703) 
602-0967. 

Marvin  j\  L^gstonr 

Acting  Deputy  Assistant Secretary  of  Defense 
(CIO  Policy  and  fmplementation) 


Attachment 

cc: 

USD(A&T) 

DOR&E 

Dir.,  DARPA 


Assistant  Secretary  of  Defense  (Conunand,  Control,  Communications,  and 

Intelligence)  Comments 


DoDIG  Recommendations: 

1.  DoDIG  Recommendation:  Review  all  information  technology 
purchases  on  existing  contracts  to  determine  whether  the 
information  technology  products  are  Year  2000  compliant. 

OASD  (C3I)  Comment:  Concur  that  DARPA's  7  of  the  8  existing 
or  proposed  contracts  should  be  reviewed  and  modified  to 
determine  Year  2000  compliance  of  information  technology  systems. 

2.  DoDIG  Recommendation:  Add,  when  appropriate,  the  Year  2000 
compliance  language  to  the  contracts  identified  in  Recommendation 
1. 

OASD  (C3I)  Comment:  Concur:  DARPA  should  add  Year  2000 
compliance  language  to  their  existing  information  technology 
contracts  in  accordance  with  governing  guidance  and  the  DoD  Year 
2000  Management  Plan. 

3.  DoDIG  Recommendation:  Review  contracts  for  Year  2000 
compliance  as  part  of  the  management  control  program  self- 
evaluation, 

OASD  {C3I}  Comment;  Concur:  Current  DARPA  management 
control  procedures  for  contracting  are  not  adequate  to  ensure 
that  the  procurement  of  Y2K  compliant  information  technology. 
DARPA' s  management  control  procedures  must  include  routine 
contract  language  requiring  Y2K  compliance  and  procedures  for 
independent  verification  of  such  compliance. 


Defense  Advanced  Research  Projects  Agency 
Comments 


DSTNSEAOVANCEDRESE/miPROJEClSAGENCY 
370IN0RTHFMRFAXDRIVE 
AmJN6T0N,VA  22203-1714 


1 

01. 


.M  25 1998 


MEMORANDUM  FOR  ASSISTANT  INSPEQOR  GENERAL  FOR  AUDITING 

SUBJECT:  Audit  Report  on  Year  2000  Program  at  the  Defense  Advanced  Research 
Projects  Agency  (Project  No.  8AB-9013) 


This  is  in  response  to  Mr.  Thomas  Gimble’s  memorandum  of  May  12, 1998,  subject  as 
above,  requesting  agency  review  and  comment  on  the  draft  report  by  June  12, 1998.  An 
extension  of  the  due  date  was  provided  orally  by  Mr.  Roger  Florence,  Audit  Project  Manager. 

The  comments  of  the  Defense  Advanced  Research  Projects  Agency  management  are 
attached. 


F.L.  Fernandez^ 
Director 


Attachment: 
As  stated 
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Defense  Advanced  Research  Projects  Agency  Comments 


Final  Report 
Reference 


Agency  Response  to  DoDlG  Audit  of  DARPA 
(Project  No.  RAB-9013) 


Wc  think  the  findings  and  recommendations  of  the  draft  audit  report  open  up  new  areas 
of  inquiry  about  the  Year  2000  ( Y2K)  computing  problem  that  go  well  beyond  the  intent  and 
scope  of  the  memorandum  of  December  18, 1998,  issued  by  the  Assistant  Secretary  of  Defense 
(Command,  Control,  Communications,  and  Intelligence)  on  “Acquisition  of  Year  2Q00  (Y2K) 
Compliant  Information  Technology  (IT)  and  Bringing  Existing  IT  into  Compliance,”  (hereafter 
referred  to  as  the  “Valletta  memo*").  Wc  believe  the  Valletta  memo  primarily  addresses 
operational  IT  within  agencies  arul  IT  that  is  acquired  by  contract,  where  IT  is  the  subject  of 
those  contracts.  We  did  not  interpret  the  Valletta  memo  as  pertaining  to  every  contract  that  uses 
computer  hardware  or  software  in  the  performance  of  the  project. 

DARPA  docs  not  really  acquire  much  IT  in  the  sense  of  buying  computer  hardware  or 
software  sy.stems.  DARPA  has  a  robust  program  of  information  technology  and  systems 
development,  but  it  is  not  clear  that  these  contracted  efforts  should  properly  be  categorized  as 
“information  technology  purchases.”  Wc  believe  the  majority  of  DARPA  contracted  efforts  fall 
into  a  gray  area  with  respect  to  the  IT  definition  and  pose  very  little  operational  vulnerability 
from  a  Y2K  standpoint. 

Despite  the  assertion  by  the  DoDlG  on  page  4  of  the  draft  report,  DARPA  did  comply 
with  Y2K  guidance  from  the  Office  of  the  Secretary  of  Defense.  DARPA  reviewed  the  Y2K 
compliance  of  its  internal  IT  systems.  Those  systems  were  given  a  clean  bill  of  health  by  the 
audit.  DARPA  conducted  a  case  by  case  review  of  contracts  based  upon  records  of  computer- 
related  purchases  maintained  by  the  information  resources  directorate.  When  the  draft  audit 
report  criticized  that  review,  representatives  of  the  DARPA  directorates  for  information 
resources  and  contracts  management  met  with  the  DoDlG  audit  project  manager  to  resolve  most 
of  the  IG's  concerns  about  individual  contracts.  The  only  remaining  area  of  contention  was  the 
delinitjonai  disagreement  mentioned  above. 

The  inquiries  of  the  DoDIG  during  the  audit,  however,  opened  up  a  whole  new  question 
about  Y2K  that  could  potentially  affect  DARPA.  That  is,  whether  computer  hardware,  software 
or  fumware  utilized  within  an  experimental  or  prototype  system  could  fail,  thereby  having  an 
impact  upon  an  operational  system.  DARPA  does  contract  for  a  small  number  of  experimental 
systems,  such  as  Advanced  Technology  Demonstrations  (ATDs),  Advanced  Concept 
Technology  Demonstrations  ( ACTDs),  and  Section  845  prototypes,  that  do  interact  with 
operation^  systems. 

The  Director,  DARPA,  is  committed  to  going  beyond  the  confines  of  the  audit  to  look 
into  Y2K  vulnerabilities  on  these  types  of  contracted  efforts  and  fixing  any  problems 
immediately.  The  DARPA  plan  of  action  is  outlined  below  in  the  responses  to  the  specific 
recommendations. 


Revised 
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Defense  Advanced  Research  Projects  Agency  Comments 


Final  Report 
Reference 


Revised 


Recommcndstions  for  Corrective  Action 

1 .  Review  a]]  information  technology  purchases  on  existing  contracts  to  determine  whether  the 
information  technology  products  an?  Year  2000  compliant. 

Response:  Concur  in  part.  As  staled  above,  DARPA  is  not  generally  in  the  business  of  m^ng 
^^information  technology  purchases.”  Consequently,  the  recommend^  review  would  identify 
many  contracts  where  computer  assets  were  acquired  by  contractors  to  perform  research  and 
development  projects,  but  where  there  would  be  little  chance  of  Y2K  failure  since  the  assets  arc 
commercial  off-the-shelf  Even  if  a  Y2K  failure  did  occur,  there  would  be  virtually  no  adverse 
consequences  under  these  types  of  research  efforts. 

As  an  alternative  to  this  recommendation,  the  DARPA  plan  for  addressing  the  agency’s  potential 
y2K  vulnerabilities  on  contracted  efforts  is  as  follows: 


Plan  of  Action  for  Contracted  Efforts 

I.  Absolute  Assurance  Compliance  Review 

This  is  a  review  of  every  action  awarded  by  the  Contracts  Management  Directorate 

(CMD)  since  the  Valletta  memo  in  an  attempt  to  provide  absolute  assurance  about 

Y2K  compliance.  A  CMD  task  force  has  been  created  and  the  effort  is  underway. 

Planned  Completion  Dale:  July  31. 1998 

II.  Review  of  Experimental  and  Prototype  Systems 

A.  Sizing  the  Problem  -  A  data  call  has  been  issued  to  Assistant  Dixectots  for 
Program  Management  in  each  technical  office  to  identify  contracted  efforts 
that  potentially  could  encounter  a  Y2K  failure  that  could  affect  operational 
systems.  The  contractors  for  such  efforts  will  be  tasked  to  examine  the  Y2K 
situation  and  esiLmate  the  cost  of  appropriate  remedial  measures. 

B.  Prioritizing  the  Problem  -  DARPA  officials  will  assess  the  vulnerabilities  and 
prioritize  the  projects  and  contracts  for  remedial  action.  They  will  locate 
funding  and  resources,  as  applicable. 

C.  Fixing  the  Problem  -  Contract  modifications  will  be  negotiated  and  contract 
certifications  obtained,  as  a^opiiate.  Contractors  will  perform  remedial 
action.  Activities  will  be  dwumented. 

Planned  Completion  Date:  September  30, 1998 
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Defense  Advanced  Research  Projects  Agency  Comments 


2.  Add  when  appropriate  the  Year  2000  compliance  language  to  the  contracts  identiHed  in 
Recommendation  1. 

Response:  Concur.  DARPA  will  conduct  the  reviews  outlined  in  the  response  above  and  add 
compliance  language  to  contracts  wherever  appropriate. 

3.  Review  contracts  for  Year  2000  compliance  as  part  of  the  managemenl  control  program  self- 
evaluation. 

Response:  Concur.  DARPA  will  conduct  the  reviews  and  actions  outlined  in  the  response  to 
Recommendation  i  above  and  make  it  a  part  of  the  management  control  program  scJf-evaluation. 
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Audit  Team  Members 


The  Acquisition  Management  Directorate,  Office  of  the  Assistant  Inspector 
General  for  Auditing,  DoD,  produced  this  report. 

Thomas  F.  Gimble 
Patricia  A.  Brannin 
Raymond  A.  Spencer 
Roger  H.  Florence 
Rudolf  Noordhuizen 
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